b'AUDIT OF NARA\'S WORK-AT-HOME SYSTEM \n\n\n        OIG Audit Report No. 09-15 \n\n\n\n\n\n            September 29, 2009 \n\n\x0c                                                                              OIG Audit Report No. 09-15\n\n\nEXECUTIVE SUl\\1MARY\n\nThe National Archives and Records Administration (NARA) Office ofInspector General\n(OIG) completed an audit ofNARA\'s Work at Home System (WAHS). The WAHS was\ninitiated to enhance NARA\'s remote access capabilities while satisfying the Office of\nManagement and Budget (OMB) mandate for two-factor authentication l . During this\naudit, we assessed NARA\'s efforts in developing this system to determine whether the\nW AHS was developed in accordance with NARA requirements and would meet OMB\ntechnical requirements.\n\nIn June 2006, OMB issued memorandum M-06-16, Protection ofSensitive Agency\nInformation, requiring all departments and agencies to only allow remote access with\ntwo-factor authentication where one of the factors was proved by a device2 separate from\nthe computer gaining access. The intention ofthis mandate was to ensure additional\ncontrols were in place when information, particularly Personally Identifiable Information\n(PH), is accessed from outside of an agency\'s physical location. Additional controls are\nneeded to compensate for the lack of physical security controls, such as locks, badges,\nand security guards, which are present at agency locations. This safeguard along with\nothers were to be reviewed and in place within 45 days ofthe memorandum. NARA had\nbeen working on the W AHS since 2007 to meet this two-factor authentication mandate.\n\nOur review found that because of the significant delay in the implementation of the\nWAHS, NARA was not in compliance with the two-factor authentication requirements\nmandated by OMB. The WAHS was a high-priority project to be completed within a\nvery short timeframe. However, the requirements ofNARA\'s IT Investment\nManagement Process 3 were not followed resulting in significant program delays, cost\noverruns, and failure to meet OMB defined requirements. This overarching condition has\nleft NARA information vulnerable, restricted telecommuting, and impacted NARA\'s\nbudget through cost overruns and lease of equipment to include tokens, at a cost of over\n$200,000, which could not be deployed. Further, by not fully defining system\nrequirements, critical technical challenges still needed to be addressed before the system\ncould be fully operational and meet the intent of OMB requirements. Consequently, a\nsystem originally estimated to cost $500,000 has now escalated to over $1.23 million and\nis still far from full implementation.\n\nOur audit identified several improvements to be made in the development and\ndeployment of the W AHS. We made seven recommendations to ensure the system meets\nOMB requirements and improves the security of remote access to PH and NARA\nproprietary information.\n\n\n\n1 An authentication factor is a piece of information and process used to authenticate or verify a person\'s \n\nidentity requesting access. Two-factor authentication is a system wherein two different factors are used to \n\nauthenticate. Using two factors as opposed to one delivers a higher level of authentication assurance. \n\n2 Examples of separate devices include USB tokens and smart cards. \n\n3 NARA\'s IT Investment Management Process is detailed in Interim Guidance 801-2, Review ofIT \n\nInvestments. \n\n\n                                                  Page 1\n                               National Archives and Records Administration\n\x0c                                                                        OIG Audit Report No. 09-15\n\n\nBACKGROUND\n\nEffective project management is essential in obtaining the right equipment and systems to\naccomplish NARA\'s mission. Specifically, system development projects must be\nmanaged and tracked to ensure cost, schedule, and performance goals are met. If systems\nare not adequately and properly managed, NARA could end up with overpriced systems\nthat do not meet NARA requirements or mission.\n\nThe OIG has repeatedly found that NARA systems are not always developed in\naccordance with NARA guidelines; system projects are not always effectively managed\nand monitored; and proper system acceptance activities may not occur prior to the agency\naccepting delivery of a system. As a result, the OIG has listed project management\nand system development activities as one ofNARA\'s top ten challenges noting that the\nagency is challenged with planning projects, developing adequately defined\nrequirements, analyzing and testing to support acquisition and development of systems,\nand oversight to ensure effective or efficient results within costs.\n\nThe Office of Information Services (NH) is responsible for administering NARA\'s\ninformation resources management programs, projects, processes, and infrastructure,\nincluding the overall operation ofNARA\'s Information Technology (IT) Investment\nManagement process. Within NH, the Capital Planning and Investment Process (CPIC)\nis directed by IT Policy and Administration Division (NHP). NHP ensures that all\nNARA IT initiatives are properly planned, costed, reviewed, and approved by the senior\nstaffbefore significant funds are expended. The proposals and product plans required to\ncomplete this process are described in NARA Interim Guidance 801-2, Review of\nInformation Technology Investments (NARA 801).\n\nAlso within NH, the Systems Development Division (NHV) provides project\nmanagement leadership for the requirements collection, development and major\nenhancements ofIT applications and systems. NHV Project Managers are responsible\nfor cost, schedule, quality, communications, and risk management of these projects.\nProject Managers are also responsible for ensuring new IT systems or major\nmodifications to IT systems conform to the Systems Development Lifecycle Handbook\nand the Systems Development Guidelines.\n\nThe W AHS, which consisted of several commercial-off-the-shelf (COTS) software\npackages, was expected to implement an IT infrastructure system that would enable\nsecure, remote access to selected General Service Systems (GSS) that reside on\nNARANet to include: GroupWise e-mail access, file access to shared and personal\ndrives, access to NARA@Work content, access to Microsoft Office 2003 applications,\nand access to the Internet. System capabilities included the need to (1) support the Work\xc2\xad\nat-Home initiative as part ofthe agency\'s Comprehensive Emergency Management\n(CEMP) and Continuity of Operations Plan (COOP) activities, and (2) implement two\xc2\xad\nfactor authentication as mandated by the OMB Memorandum 06-16, Protection of\nSensitive Agency Information.\n\n\n\n                                            Page 2\n                         National Archives and Records Administration\n\x0c                                                                    OIG Audit Report No. 09-15\n\n\nOBJECTIVE, SCOPE, METHODOLOGY\n\nThe objective of this audit was to determine whether the WAHS was developed in\naccordance with NARA requirements and efficiently and effectively met the\nrequirements of the OMB memorandum M -06-16, Protection ofSensitive Agency\nInformation. Specifically, we sought to determine whether the project proposal, plan, and\napproval were completed in accordance with NARA requirements and whether technical\nrequirements were developed to meet OMB requirements for remote access. The audit\nwas limited to the development, testing, pilot, and implementation of the WAHS.\n\nWe examined applicable laws, regulations, and NARA guidance, including (a) OMB\nMemorandum M-06-16, Protection ofSensitive Agency Information; (b) Clinger-Cohen\nAct; (c) Homeland Security Presidential Directive (HSPD) -12; (d) National Institute of\nStandards and Technology (NIST) Special Publication 800-53, Recommended Security\ncontrols for Federal Information Systems; (e) Federal Information Processing Standards\nPublication (FIPS PUB) 140-2, Security Requirementsfor Cryptographic Modules; (f)\nNARA Interim Guidance 801-2, Review ofInformation Technology Investments; and (g)\nSupplement to NARA 801-2, System Engineering Capital Planning Investment\nManagement Decide Process.\n\nTo accomplish our objective, we met with the WAHS Project Manager and other NARA\nofficials involved with the WAHS project. We reviewed the WAHS project proposals\nand other system development documents such as the Concept of Operations and Initial\nRequirements Specification, Design Specification, and monthly Capital Planning and\nInvestment Process reports. We also reviewed Requests for Changes (RFCs) and\nRequests for Work (RFWs) related to the WAHS and meeting minutes of various NARA\nIT committees.\n\nOur audit work was performed at Archives II in College Park, MD between December\n2008 and June 2009. We conducted this performance audit in accordance with generally\naccepted government auditing standards. Those standards require that we plan and\nperform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis\nfor our findings and conclusions based on our audit objectives. We believe that the\nevidence obtained provides a reasonable basis for our findings and conclusions based on\nour audit objectives.\n\n\n\n\n                                            Page 3\n                         National Archives and Records Administration\n\x0c                                                                     OIG Audit Report No. 09-15\n\n\nFINDINGS AND RECOMMENDATIONS\n\nNARA Was Not Compliant with OMB Mandated Two-Factor Authentication\n\nNARA was not in compliance with the two-factor authentication requirements for remote\naccess mandated by OMB in June 2006. This occurred because NARA failed to meet\nseveral established deadlines to implement the WAHS, which was intended to meet the\nOMB mandate. Consequently, NARA\'s email system remained vulnerable to network\nand hacker attacks and NARA was unable to protect PH and NARA proprietary\ninformation from being distributed or compromised over its network and email system.\n\nIn June 2006, OMB issued memorandum M-06-16, Protection ofSensitive Agency\nInformation, requiring all departments and agencies to only allow remote access with\ntwo-factor authentication where one of the factors was provided by a device, such as a\nRSA token, separate from the computer gaining\naccess. The specific intent of this mandate was to\ncompensate for the protections offered by the\nphysical security controls when information was\nremoved from or accessed outside of the agency\nlocations. This safeguard along with others were to\nbe reviewed and in place within 45 days of the June              Example of a RSA Token\n23, 2006 memorandum.\n\nAt the time of our audit, NARA was not in compliance with the two-factor authentication\nrequirements for remote access mandated by OMB. NARA did not have an enterprise\xc2\xad\nlevel remote access solution in place for its Work-at-Home or telework staff and NARA\nemployees were unable to access NARA\'s intranet or shared drives from remote\nlocations. Instead, NARA had two remote access solutions in place; however, neither\nwere designed or priced to provide remote access for the entire NARA work force. Their\npurpose and use were intended for restricted access by NARA IT operations staff and\nspecific IT operations contract personnel for purposes of keeping the NARA information\ninfrastructure, application servers, and other components operational. ----------------------\xc2\xad\n\n-------------Redacted pursuant to FOIA Exemption "high" b(2)--------------------------------\xc2\xad\n\n\nIn 2007, NARA began developing W AHS to meet the OMB requirement for two-factor\nauthentication. However, due to a demonstrated lack of sound project management, this\nsystem has not been fully implemented. The Project Plan schedule showed that\nthe W AHS would be deployed in September 2008, but the project did not meet this\ndeadline. In an updated schedule, the deployment ofthe W AHS is schedule to be\ncompleted in December 2009, 15 months after the original deployment date. Other\ndeadlines in the project have been missed, including deadlines relating to user testing.\nOriginally, WAHS was to be piloted with an advanced testing group of 50 NARA users\nby April 30, 2008; however, this was not completed until September 2008 and only 18\ntesters were included. Also, in a revised schedule, additional NH user testing was to be\n\n\n                                             Page 4\n                          National Archives and Records Admjnistration\n\x0c                                                                           OIG Audit Report No. 09-15\n\n\ncompleted by January 7, 2009 and testing of users outside ofNH was to be completed by\nMarch 19,2009. However, the additional NH testing was not completed until February\n20,2009 and as of May 21,2009, testing outside ofNH had not been completed.\nSuccessful user testing is important because it ensures the system meets defined\nacceptance criteria and operational objectives.\n\nWithout the W AHS in place, NARA continues to manage its remote access systems in\ntheir current state and is unable to provide two-factor authentication for remote access.\n\n--------------------- Redacted pursuant to FOIA Exemption "high" b(2)-----------------------\xc2\xad\n\n\n\nAdditionally, by not having an enterprise-level remote access solution in place, telework\ncapabilities for NARA employees have been limited. NARA has over 2,700 employees\nwho are eligible to work from home. However, some NARA employees were not able to\nwork from home because of the lack of a secure remote access system. As the workforce\ncontinues to move away from traditional work times and locations, more employees will\nrequire easy, regular access to email and calendars. Further, the Office of Personnel\nManagement has emphasized the importance of being telework ready, in order to\ncontinue essential operations during all phases of a pandemic influenza. Specifically,\nagencies need to implement and maintain a robust IT system with the necessary\ninfrastructure including, bandwidth and VPN access to accommodate a sudden spike in\nremote usage of systems.\n\nFinally, during the audit, NARA\'s current Nortel Virtual Private Network4 (VPN)\nsolution suddenly experienced an outage. By not fully deploying the W AHS, the\nreplacement for the Nortel VPN, NARA did not have a remote access system to replace -\xc2\xad\n- Redacted pursuant to FOIA Exemption "high" b(2)---. Thus, NARA employees\ncontinued to not have secure remote access capabilities and -------------- Redacted\npursuant to FOIA Exemption "high" b(2)---------------.\n\nRecommendation 1\n\nWe recommend the CIO ensure a system is put in place which meets the requirements for\nremote access with two-factor authentication.\n\nRecommendation 2\n\nWe recommend the CIO discontinue or phase out any remote access which does not\nrequire two-factor authentication.\n\nRecommendation 3\n\n4The Nortel VPN provides remote access capabilities for some NARA users. This access requires a\nproperly configured NARA-issued laptop. The WAHS was developed to replace the Nortel VPN and\ngreatly enhance the security ofNARA\'s remote access.\n\n                                               Page 5\n                            National Archives and Records Administration\n\x0c                                                                    OIG Audit Report No. 09-15\n\n\n\n\nWe recommend the CIO monitor the W AHS to ensure the established milestones and\ndeadlines are met.\n\nManagement Comment(s)\n\nManagement concurred with recommendations.\n\n\nNARA Did Not Follow IT Investment Management Requirements\n\nIn developing the W AHS, NARA did not follow all of the requirements ofNARA\'s IT\nInvestment Management Process. This occurred because management did not enforce\nthe use ofthe process outlined in NARA 801 and the project proposal was not verified to\nensure that proposal information was complete and adequately supported. Consequently,\nthe approved solution was not adequately planned which contributed to the project falling\nbehind schedule and wasting limited resources. Further, alternatives were not completely\nvetted prior to the approval of the W AHS and NARA may not have chosen the best\nalternative for remote access with two-factor authentication.\n\nThe Clinger-Cohen Act required each agency to design and implement a process for\nmaximizing the value and assessing and managing the risks of their information\ntechnology acquisitions. The act also required each agency to establish effective and\nefficient capital planning processes for selecting, managing, and evaluating the results of\nall of its major investments in information systems. To meet the requirements of the\nClinger-Cohen Act, NARA developed its IT Investment Management Process, which was\ndocumented in NARA\'s Interim Guidance 801-2, Review ofInformation Technology (IT)\nInvestments (NARA 801). One of the phases of this process is the Decide Process, which\nis described in the supplement to NARA 801, System Engineering Capital Planning\nInvestment Management Decide Process. The Decide Process was intended to help\nensure NARA (1) selects the best mix ofIT investments to support NARA\'s strategic\ngoals and (2) thoroughly analyzes an investment before a significant amount of resources\nare expended for those investments.\n\nIn the Decide Phase, projects being proposed for funding are reviewed and initially\nscreened to (1) eliminate proposals that do not warrant further development and (2)\nensure that full proposals are reviewed at the most appropriate organizational level.\nCritical aspects of this phase are management understanding, participation, and decision\xc2\xad\nmaking driven by accurate, up-to-date data, and an emphasis on using IT to efficiently\nachieve strategic goals. Proposals that pass the screening process have their costs,\nbenefits, and risks analyzed in-depth. This analysis is documented in a "Full Proposal".\nIn general, Full Proposals assemble and analyze data collected and documented in system\ndevelopment lifecyc1e deliverables, such as Concept of Operations, Requirements\nDocument, and Analysis of Alternatives. The supplement to NARA 801 provides the\ntemplate and details the requirements for a Full Proposal.\n\n\n\n                                            Page 6\n                         National Archives and Records Administration\n\x0c                                                                            OIG Audit Report No. 09-15\n\n\nWe found the W AHS was not developed or approved in accordance with these Federal\nand NARA requirements. Particularly, we noted deficiencies in the project proposal, risk\nassessment, approval process, and authorized spending.\n\n                                          Project Proposal\n\nPrior to the approval ofthe WAHS, a project proposal was prepared using the appropriate\ntemplate in NARA 801. However, the project proposal did not include all necessary\ninformation and in some cases misleading or incorrect information was included in the\nproposal. The following critical information was missing in the project proposal:\n\n    \xe2\x80\xa2 \t The Design Overview section did not describe a technically feasible design,\n        which could be accomplished within the time constraints of the project.\n    \xe2\x80\xa2 \t The Assumptions and Constraints section did not address critical planning items\n        such as scope, schedule, workload, dependencies, technology, users, stakeholders,\n        interfaces, funding, and security.\n    \xe2\x80\xa2 \t Security requirements and costs were not identified and integrated into the overall\n        lifecycle cost of the investment and included in the investment\'s Cost Benefit\n        Analysis (CBA) worksheet.\n\nMisleading or incorrect information was also included in the Analysis of Alternatives,\nProject Benefits, and Acquisition Strategy sections. Specifically, the Analysis of\nAlternatives section stated that the selected alternative was "already proven and tightly\nintegrated with the Citrix Access Suite currently in use at NARA". According to the\nProject Sponsor, this was based on the results of two other organizations (U.S. Patent\nTrade Office and Department of Treasury) that had successful results using Citrix and\nRSA tokens. However, both of these organizations had Microsoft exclusive operating\nenvironments, whereas NARA has a mixture of Novell and Microsoft operating\nenvironments. NARA\'s Novell system is not widely used in industry or government and\noffices, such as the Presidential Libraries, often run into interoperability problems with\ntheir strategic partners. Therefore, the statement could have been misleading to decision\nmakers selecting the best alternative.\n\nAlso, in the discussion of Project Benefits, it stated NARA must implement the WAHS\ncapability to satisfy an OMB mandate and comply with Homeland Security Presidential\nDirective - 125 (HSPD-12). However, the selected alternative did not meet the\nrequirements of HSPD-12, which mandated the use of a Personal Identity Verification\n(PIV) to gain both physical and logical access to federally controlled information\nsystems.\n\nFinally, the acquisition strategy section of the project proposal should discuss how\ncompetition will be sought, promoted, and sustained. However, competition was not\naddressed in this section of the WAHS proposal. Instead, the proposal only stated that\n\nSThe purpose of this directive was to enhance security, increase Government efficiency, reduce identity\nfraud, and protect personal privacy by establishing a mandatory, Government-wide standard for secure and\nreliable forms of identification issued by the Federal Government to its employees and contractors.\n\n                                                Page 7\n                             National Archives and Records Administration\n\x0c                                                                               OIG Audit Report No. 09-15\n\n\ntwo existing contracts would be used to address the scope of this effort. This approach\nmay have been acceptable; however, additional funding, totaling over $190,000, was\nrequired for one of the contractors to complete the needed tasks. This additional funding\nwas not anticipated and was provided to the contractor through Technical Direction\nLetters, with a total ceiling price of $427,324. Therefore, the acquisition strategy for the\nW AHS did not thoroughly seek, promote, or sustain competition.\n\nHaving complete and accurate information in the project proposal is crucial because,\nonce a project proposal has been reviewed and approved, it becomes the Product Plan.\nThis plan should incorporate (1) changes recommended as part of the proposal approval\nprocess and (2) the milestone review schedule established by the CIO.\n\n                                             Risk Assessment\n\nThe overall W AHS project risk assessment was also incorrect. According to NARA\nguidance, the highest risk factor in the areas of Technical Deployment, IT Architecture\nImpact, and Legal Regulations determines the overall project risk. Originally, the WAHS\nproject was given a medium risk rating, even though its Technical Deployment6 was rated\nas high. Since the WAHS was considered an enterprise-wide project, this rating was\nappropriate. Therefore, the W AHS should have been rated as a high risk project.\n\n                                            Approval of Project\n\nBecause of the incorrect project risk rating, the W AHS proposal was not submitted to\nInformation Technology Executive Committee (lTEC) for formal discussion, review, or\nscrutiny. ITEC was established to set the overall direction and polices governing\nNARA\'s information technology infrastructure and is responsible for prioritizing and\nadvocating the rollout of major information technology initiatives. Also, as Chairman of\nITEC, the Archivist or designated representative, is responsible for approving changes in\ndirection or adoption of emerging technologies. According to the ITEC Secretary, any\nproposal with a high risk rating is required to be approved by ITEC. However, since the\ninitial W AHS project proposal was incorrectly rated as "medium", the W AHS was not\nformally reviewed, scrutinized, and approved by the members of ITEC prior to its\napproval.\n\nAfter the W AHS proposal was approved, senior NH officials were asked if other\nalternatives were considered for the WAHS. The response was that no other alternatives\nwere considered because the cost factor only approached $500,000. This was based on\nincorrect information or a misconception given the project\'s three year outsourcing costs\ntotaled over $700,000 and the ten year total costs were over $5.2 million.\n\n\n\n\n                                             Project Spending\n\n6   Technical deployment refers to the scope of project use from an organizational viewpoint.\n\n                                                   Page 8\n                                National Archives and Records Administration\n\x0c                                                                    OIG Audit Report No. 09-15\n\n\n\n\nFinally, NARA\'s Decide Process requires projects to be thoroughly analyzed before a\nsignificant amount of resources are expended. The pilot of the W AHS was authorized to\nspend up to $150,000. However, prior to the official approval of the WAHS, over\n$500,000 had already been spent on the project.\n\nThese deficiencies occurred because the controls outlined in the NARA 801 were not\neffectively implemented or enforced. Not only did the Proposal Development Team\ndevelop an incomplete project proposal, but NARA management did not enforce the\nprocess outlined in NARA 801 to ensure that an adequate project proposal was developed\nand approved. The proposal was reviewed and approved by the Architecture Review\nBoard (ARB) and the Business Architecture Working Group (BAWG) even though some\nmembers ofthe BAWG had not completed their review. Also, since the project was\nassigned an incorrect risk rating, it was not reviewed at the most appropriate organization\nlevel. The WAHS was not formally discussed at an ITEC meeting until after it was\napproved. Further, during these reviews, emphasis was not placed on finding or\nconsidering other alternatives; the only option presented throughout the process was\napproved. Thus, it appeared that management did not thoroughly review and question the\nproject, prior to its approval.\n\nAdditionally, the project proposal was not verified, as required by NARA 801, to ensure\nit was adequately supported and the Decide Process was being executed as intended.\nDuring the time the W AHS proposal was developed and approved, the position for the\nNHP Capital Planning Branch (NHPC) Chief was vacant. The NHPC Branch Chief is\nresponsible for documenting, executing, reporting, and managing IT Capital Planning\nfunctions as defined in NARA 801. With this position vacant and limited personnel in\nNHP, management had no assurance that the proposal data was adequately supported and\nthe Decide Process was followed as intended.\n\nAnother NARA 801 control not properly followed was the preparation and review of\nmonthly status reports. These reports were prepared by the project manager and were\nintended to provide information on accomplishments, problems encountered, actions\nrequired, schedule, costs, risks, and action items. In addition, these reports should be\nused to understand the condition ofprojects and change the course of a project when\nnecessary. However, the monthly reports for the W AHS provided little to no information\nregarding the project and its status. Further, problems, such as missed deadlines,\nadditional risk factors, extra project spending, were not always identified or corrected\nduring the review of these reports.\n\nBy not following NARA 801 requirements, the WAHS was not adequately planned\ncausing the project to fall behind schedule and waste limited resources. Since the\napproved project proposal becomes the Product Plan, the deficiencies in the proposal\nwere carried forward to the Project Plan and the project quickly fell behind schedule.\nOriginally, the WAHS was to be deployed by September 2008; however, this deadline\nwas not met due to additional technical requirements associated with the Novell Identify\n\n\n\n                                            Page 9\n                         National Archives and Records Administration\n\x0c                                                                             OIG Audit Report No. 09-15\n\n\nManagement (IDM) drivers that were not identified during project planning. This also\nled to the break-fix7 which was discovered during the production testing.\n\nBy not meeting the deployment deadline, the W AHS wasted limited resources. For\nexample, in April 2008 NARA paid the full yearly maintenance cost of$215,000 for\n3,000 RSA tokens; however, only a small portion (approximately 50) of these tokens\nwere distributed and used as part of user testing. In June 2009, NARA had planned to\npay another $235,000 for the renewed maintenance ofthese tokens even though the\nsystem will not be fully deployed until at least December 2009. Since our audit,\nmanagement has lowered the number of tokens needed to 1,500 decreasing the yearly\nmaintenance cost to $143,100.\n\nFurthermore, by not following established requirements, alternatives were not completely\nvetted prior to the approval of the WAHS. The impact of not fully vetting significant\nenterprise architecture, information technology infrastructure and applications\ndevelopments can be profound. Specifically, NARA may not have chosen the best option\nand limited resources could have been put to better use. One of the discounted\nalternatives would have met the requirements ofHSPD-12, but was not chosen because it\nwould have taken longer to implement. Instead, the selected alternative, which does not\nmeet HSPD-12 requirements and was only supposed to cost $500,000, has now expended\nover $1.23 million and still is not operational.\n\nRecommendation 4\n\nWe recommend the CIO ensure that the deficiencies noted in the project plan are\ncorrected.\n\nRecommendation 5\n\nWe recommend the CIO reevaluate the WAHS to ensure it is the best alternative to\nprovide remote access with two-factor authentication.\n\nRecommendation 6\n\nWe recommend the CIO enhance the controls in the IT Investment Management Process.\nWith the issuance of the new NARA 801, we recommend the CIO specify who is\nresponsible for verification activities in the IT Investment Management Process and\ncontrols to correct unfulfilled business requirements and variances in costs and schedule.\n\nManagement Comment(s)\n\nManagement concurred with recommendations.\n\n\n\n7 A break-fIx occurs when a supporting technology fails in the normal course of its function and needs\nintervention by some support organization.\n\n                                                 Page 10\n                              National Archives and Records Administration\n\x0c                                                                              OIG Audit Report No. 09-15\n\n\nMajor Technical Challenges Remain\n\nEven though the W AHS reached the deployment stage, major technical challenges\nremained to efficiently and effectively meet all OMB and NIST requirements. This\noccurred because the WAHS requirements were not adequately defined prior to the\ndevelopment of the WAHS. ---------------------- Redacted pursuant to FOIA Exemption\n"high" b(2)------------------------------------------------------------------.\n\nIn addition to requiring two-factor authentication, OMB memorandum M-06-16 required\nagencies to take additional actions for the protection ofPIl, including:\n\n     \xe2\x80\xa2 \t Implement NIST Special Publication 800-53 security controls requiring\n         authenticated virtual private network (VPN) connection for remote access to PII.\n     \xe2\x80\xa2 \t Implement NIST Special Publication 800-53 security controls ensuring that\n         information is transported only in encrypted form for instances where PII is\n         transported to a remote site.\n\nSince the NARANet contains PII and other proprietary information, these requirements\nshould have been met by the WAHS, by requiring an authenticated VPN connection and\nensuring information is transported in an encrypted form. The specific intent of these\nrequirements is to compensate for the physical security controls not present when\nsensitive information is removed or accessed from outside of the agency location. -------\xc2\xad\n-------------------- Redacted pursuant to FOIA Exemption "high" b(2)------------------------\xc2\xad\n\n\n\n\nWhile the WAHS was designed to meet the OMB two-factor authentication requirement,\nwe found major technical challenges remain for the W AHS to efficiently and effectively\nmeet all OMB and NIST security requirements for remote access. Specifically, the\nW AHS has not fully demonstrated how it will meet the requirements associated with\nVPN connections, encryption, monitoring and reviewing remote access connections, and\ntoken distribution.\n\n                                            VPN Connection\n\nAt the time of our audit, questions remained in whether the VPN connection for the\nW AHS would meet all security requirements. The W AHS included two separate types of\nremote access for NARA users. One type provided remote access to virtualized\napplications8 with selected functionalities ofNARANet, including access to email, shared\n\n\n8 Virtualized applications provide remote users controlled access to selected applications and data. When a\nremote user logs into the remote access system, they are presented with the same desktop setup they\nnormally see on their office computer thereby creating a virtual office desktop. The server "virtualizes" the\ndesktop by passing only screen pixels, keystrokes, and mouse movements over the wire to the remote\ncomputer instead of the actual data itself. The process is transparent to end users and their experience is\nthe same as if they were using desktop applications locally on their computer.\n\n                                                 Page 11\n                              National Archives and Records Administration\n\x0c                                                                            OIG Audit Report No. 09-15\n\n\nand personal drives, and Microsoft Office applications. The other was to provide Secure\nSockets Layer9 (SSL) VPN capability to selected remote users. The initial design\nintended to only provide this secure VPN connection to certain users to perform system\nadministration functions remotely. Later, it was decided to extend this VPN capability to\nadditional W AHS users, who needed to access systems beyond email, shared and\npersonal drives, and Microsoft Office applications. However, these users had to use a\nNARA-issued laptop, even though this was not specified in the original requirements for\nthe W AHS. NARA has over 2,700 employees who are eligible to work from horne and it\nmay not be efficient and is an undetermined cost to require each ofthese employees to\nuse a NARA-issued laptop for remote access, especially considering most do not work\nfrom horne on a regular basis.\n\nFurther, management had not yet determined what interrogation factor should be used to\nverify if a NARA furnished laptop is connecting to the Access Gateway to allow VPN\nconnectivity. An interrogation factor allows for the WAHS to establish an authenticated\nconnection, as required by NIST. However, a determination had not been made as to\nwhat attribute would be common to all versions of the NARA baseline image, yet unique\nto NARA computers for authentication. Also, even though the WAHS had reached the\ndeployment phase, the VPN capability had not been tested by a group of users.\nTherefore, NARA lacked assurance that the W AHS would meet the security requirements\nfor VPN connections.\n\n                                              Encryption\n\nFor instances where PH is transported to a remote site, agencies were to implement\nsecurity controls ensuring information is transported only in encrypted form. These\ncontrols included the use of a validated cryptography.lO NIST provides standards that\nshould be used by Federal organizations when implementing cryptographic-based\nsecurity systems to protect sensitive or valuable data. These standards are documented in\nFederal Information Processing Standards Publication (FIPS PUB 140-2), Security\nRequirements for Cryptographic Modules and are applicable to all Federal agencies that\nuse cryptographic-based security systems. In addition, NIST requires organizations to\nauthorize, monitor, and control all methods of remote access to the information system.\nSpecifically, organizations should employ automated mechanisms to facilitate the\nmonitoring and control of remote access methods; use cryptography to protect the\nconfidentiality and integrity of remote access sessions; and control all remote accesses\nthrough a limited number of managed access control points.\n\nHowever, it is uncertain whether the WAHS will meet each of these requirements.\nSpecifically, procedures have not been put in place to monitor the effectiveness of\ninstalled encryption technologies. Also, at the time of the audit, a decision had not been\n\n\n9 Secure Sockets Layer (SSL), is a cryptographic protocol that provides secure communications on the\nInternet for such things as web browsing, e-mail, Internet faxing, instant messaging, and other data\ntransfers.\n10 Cryptography deals with the transformation of ordinary text (plaintext) into coded form (ciphertext) by\nencryption and transformation of ciphertext into plaintext by decryption.\n\n                                                 Page 12\n                              National Archives and Records Administration\n\x0c                                                                            OIG Audit Report No. 09-15\n\n\nmade on how to recognize an approved NARA laptop or user and an unapproved NARA\nlaptop or user. Further, in order for encryption to be successful, both ends ofthe\nconnection must be determined to be secure. However, NARA had not developed a way\nto validate that a secure internet browser was being used by the remote user. These\nencryption technologies and controls provide agencies with a method of protecting\nsensitive information and can reduce the occurrence of data breaches.\n\n                                         Token Distribution\n\nAt the time of our audit, the W AHS did not have any procedures in place to manage,\nassign, distribute, and revoke RSA tokens for users. NIST requires that the organization\nmanages information system authenticators (tokens) by establishing administrative\nprocedures for initial authenticator distribution, for lost/compromised, or damaged\nauthenticators, and for revoking authenticators. These procedures need to be established\nprior to the W AHS being rolled out enterprise wide. Of particular importance are the\nresponsibilities of managing the tokens at the NARA field offices. If not properly\naccounted for, these tokens could end up in the hands of someone who is not authorized\nto access the W AHS.\n\n                                      Other Security Concerns\n\nDuring the audit, we noted that a point of entry into NARANet was established for\ncontractors to remotely manage one of the W AHS servers. NIST requires organizations\nto authorize, monitor, and control any remotely executed maintenance and diagnostic\nactivities. However, controls still needed to be established for this connection.\nOriginally, the system design did not include a firewall to protect NARANet, but a\nfirewall was later added. The connection was not identified or detailed in the Security\nPlan and records were not maintained for all remote maintenance and diagnostic\nactivities, as required by NIST. In addition, a SAS 70 11 audit had not been completed for\nthe contractor. The SAS 70 audit process includes an in-depth audit examination of the\neffectiveness of a service organization\'s internal controls. Benefits of a SAS 70 audit\ninclude the following:\n\n    \xe2\x80\xa2 \t Assurance that internal controls within the data center are in place, are suitably\n        designed, and are operating effectively;\n    \xe2\x80\xa2 \t Assurance that physical access, IT infrastructure, data and network are secured\n        against certain threats; and\n    \xe2\x80\xa2 \t Assurance that the data center\'s control policies and procedures have been\n        evaluated and reviewed by an independent third party.\n\nThe OMB and NIST requirements were not met because system requirements were not\nadequately defined prior to the start of the project. The Design Specification listed the\nappropriate NIST controls that were applicable to the WAHS. However, plans were not\ncompleted to discuss how each of these controls would be addressed and implemented.\n\n11 Statement on Auditing Standards No. 70, Service Organizations, can be helpful in examining the quality\nof a potential business partner\'s information security controls.\n\n                                                Page 13\n                             National Archives and Records Administration\n\x0c                                                                         OIG Audit Report No. 09-15\n\n\nFor example, the Concept of Operations states the system shall exchange all data using an\nencrypted link, but did not discus how these would be accomplished. The technical\naspects of the WAHS were not fully developed prior to the approval and development of\nthe project.\n\n\n\n-------------------------- Redacted pursuant to FOIA Exemption "high" b(2)------------------\xc2\xad\n\n\n\n\nRecommendation 7\n\nWe recommend the CIO ensure the WAHS meets OMB and NIST requirements prior to \n\nfull implementation. \n\n\nManagement Comment(s) \n\n\nManagement concurred with recommendation. \n\n\n\n\n\n                                             Page 14\n                          National Archives and Records Administration\n\x0c                \xc2\xb7National Archives and Records Administration\n                                                                                       8601 Adelphi Road\n                                                                      College Park, Maryland 20740-6001\n\nDate: \t   September 25,2009\n\nTo: \t     OIG\n\nFrom: \t   NH\n\nSubject: \t Comments on OIG Draft Report 09-15,\n           Audit ofNARA\'s Work-At-Home System\n\n\n\n          Thank you for the opportunity to comment on this draft report. We concur with the\n          recommendations in the draft report and will proceed with an action plan to address them once\n          we have received the final report.\n\n\n\n\n          ~::!tty\n          Assistant Archivist for Information Services\n\n\n\n\n                                  NARA\'s web site is http://www.archives.gov\n\x0c'